rfc 2616 defines HTTP and therefore how redirects work; and it defines what the content of a location should be (see section 14.30). URLs must be url encoded, no matter whether or not they contain HTML. So, when a location is decoded, it must be url-decoded.
yes, of course the location is a header field, your code snipplet is used for decoding the header fileds, in particular the "location: ..." of a redirect.
HTML entity-decoding looks still like a bug to me.
